Starting up a computer, or booting, is the process activating the computer from a small program and successively loading and activating more and more programs until Finally a complete operating system and other associated network, storage, and peripheral support Because the very first program to run, usually a basic input/output system, or BIOS, controls the platform on which every other process and application runs, it is often desirable, if not essential, to have a computer startup using a known boot program. An unqualified, or even malicious, BIOS program can propagate viruses, spyware, capture keystrokes and passwords, and lay the computer open to circumvention of every security measure afforded by later-loaded protection software.
Therefore, it is desirable to ensure that a known, qualified, BIOS is initially loaded and executed. Many attempts to ensure booting with the correct BIOS include measures to cryptographically verify a BIOS before it is loaded and run. This, however, often requires yet another program to be installed and run before the BIOS is loaded. The problem of rogue programs often just moved one step lower in the startup process.
There are several ways to defeat a secure boot process in a computer. A first is to re-program or replace the BIOS in a boot memory. By replacing the boot program, the computer can load, and possibly execute, code used to subvert security steps taken by later-executed programs, such as the operating system. Another method can be to replace the jump vectors that point to the authorized BIOS and have the computer boot from a BIOS from another location.
The vast majority of computers use the same “well known address”, originally, 0xFFFFFFF0, to begin execution of the software portion of the boot process. This address maps to a location on a device containing persistent storage, often referred to as BIOS ROM, from which the computer will fetch the first instruction, in most cases the first instruction of the BIOS program. The system chipset hardware, e.g. a Northbridge/Southbridge or equivalent, will determine which device's persistent storageis pointed to by that address and cause the appropriate location from the device's persistent storage to be read, and then executed. There are several system busses (PCI, LPC, SPI, etc) that are capable of hosting devices that contain persistent storage that could contain the BIOS needed to boot the platform. Resistors tied to pins on the system chipset, are used to set the target system bus that is to be used to boot the system. By changing the resistors, a hacker could divert execution from the intended device to a second device with boot code selected by the hacker.
Alternatively, a more sophisticated hacker could monitor the system bus and cause the boot address to he misread by forcing data on the system bus. The result of either or these latter two attacks is to cause the computer to boot from a non-authorized location that would, presumably, circumvent a security model imposed through the correct boot code.